Since an embedded device such as a mobile phone has valuable asset such as paid contents, it has become a target of attacks to obtain it fraudulently. One way of such attacks is data probing. The data probing is an attack to read out data electrically from an exposed data bus wiring between an MPU (Micro Processor Unit) chip and an external RAM (Random Access Memory).
Data scrambling is a method of preventing information leaking due to the data probing. The data scrambling is to convert data into scrambled data before it is released from the MPU chip, to keep the contents of the data confidential from the attacker.
Here, FIG. 1 is explained. FIG. 1 illustrates an example of conventional data scrambling.
In FIG. 1, an MPU chip 1 being a data processing apparatus has an address bus 11 and a data bus 12 both having a bit width of w-bit and are respectively connected to an external RAM 2 being a memory apparatus. Furthermore, the MPU chip 1 has a processor 100 and a scramble unit 200 inside.
The address bus 11 outputs address data to give to the external RAM 2 output by the processor 100.
The scramble unit 200 obtains confidential data by scrambling write-in data, output by the processor 100, to the storage position of the external RAM 2 specified by an address data output by the address bus 11.
The data bus 12 outputs the confidential data that the scramble unit 200 has obtained.
The configuration of the scramble unit 200 presented in FIG. 1 is further explained.
The scramble unit 200 is configured to have a key register 201, an exclusive OR circuit (hereinafter, referred to as an “XOR circuit”) 202, a substitution function processing unit 203, and an XOR circuit 204.
The key register 201 is a register in which scramble key data K of w-bit is stored.
The XOR circuit 202 XORs the same address data as that output by the address bus 11 and the scramble key data stored in the key register 201 for each bit.
The substitution function processing unit 203 performs a substitution conversion process to associate w-bit data output from the XOR circuit 202 uniquely with any data expressed in w-bit and to output the uniquely associated data.
The XOR circuit 204 XORs, during the scrambling operation, the write-in data output by the processor 100 and data (mask value) corresponding to the address data output from the substitution function process unit 203 for each bit. The data output from the XOR circuit 204 is the confidential data in which the write-in data is scrambled, which is output from the data bus 12 to the external RAM 2. The confidential data is stored in a storage position in the external RAM 2 specified by an address data output by the address bus 11.
When the MPU chip 1 reads out the confidential data from the external RAM 2, the scramble unit 200 performs a descrambling operation.
The address data being output from the address bus 11 when the MPU chip 1 reads out the confidential data from the external RAM 2 is the same as that when the confidential data is written in. Therefore, if the scramble key data K in the key register 201 and substitution conversion F in the substitution function processing unit 203 are both the same as those at the time of the scrambling operation, the mask value output from the substitution function processing unit 203 at the time of reading out of the confidential data becomes the same as that at the time of written in the confidential data.
The XOR circuit 204 XORs, during the descrambling operation, the confidential data read out from the eternal RAM 2 and the mask value output from the substitution function processing unit 203 for each bit. Here, since the mask value is the same at the time of writing in and reading out of the confidential data, the XOR results in the original write-in data. The descrambling of the confidential data is completed as described above, and the obtained original write-in data is read in the processor 100.
As described above, in the configuration presented in FIG. 1, the scramble unit 200 inside the MPU chip 1 performs scrambling of write-in data to the external RAM 2. That is, since the wiring for the processor 100 and the scrambling unit 200 is not exposed outside the MPU chip 1, write-in data cannot by read out by data probing before it is subjected to scrambling.
In addition, in the configuration presented in FIG. 1, generally, the processor 100 performing the data processing performs calculation of the mask value in advance using the characteristic that address data can be prepared in the address bus 11 before write-in data is prepared. By reducing processing for write-in data as much as possible as described above, the high-speed response performance to complete the scrambling process within the delay time that is allowed between the processor 100 and the external RAM 2.
Generally, in the scrambling of write-in data to the memory apparatus, safety can be improved by generating the mask value with the shared key block cipher and the like, and the safety is maintained even if the processing scheme is revealed. However, since the processing of the shared key block cipher is complicated generally, it becomes impossible when using the shared key block cipher to satisfy the high-speed response performance that is required for the data bus 12 transmitting the write-in data.
Meanwhile, the scrambling adopting the configuration presented in FIG. 1 ensures, by embedding the scramble unit 200 into the MPU chip 1, security with the difficulty for the attacker to know the algorithm for generating the mask value. The scrambling adopting this configuration has a feature that since the calculation volume is smaller than the case in which a cryptographic processing that is still safe even if the algorithm of the scrambling is revealed, the processing can be performed at a high speed.
In addition, the data scramble unit 200 in the configuration presented in FIG. 1 generates scramble data (confidential data) using both information write-in data and address data output from the processor 100. With the data scramble algorithm that is dependent also on the address data, even with for the same write-in data, the scrambled data written into the external RAM 2 becomes different by the address data, improving the resistance for analysis.
Meanwhile, as other backgrounds arts, a technique to perform scrambling of data also at the memory unit side and a technique of double encryption to further encrypt encrypted data have been known (e.g. Japanese Laid-open Patent Publication Nos. 2001-109667, 2002-328844 and 2004-110408).
By the way, as described earlier, by providing the scramble unit 200 within the MPU chip 1, it has become possible to make data confidential from data probing. However, there still remains the risk that the attacker analyses the scramble algorithm. In order to ensure the security of the scrambling, the security of the scramble algorithm needs to be evaluated.
One of items to evaluate the security of a keyed scramble algorithm being an algorithm to perform data scrambling using scramble key data as adopted in the scramble unit 200 in FIG. 1 is resistance to brute force key attacks based on a known plaintext attack.
In the brute force key attacks, among the combination of scramble key data, write-in data, scramble data and address data and hardware implementing the scramble key algorithm, those except for the scramble key data are given to the attacker. The attacker executes, in this case, scrambling while setting scramble key data arbitrarily. Then, the execution is repeated until the scramble key data used in the given combination is identified.
The resistance to the brute force key attack in creases as the key length of the scramble key data becomes longer. In addition, the security is ensured by making the calculation volume required for the brute force key attack a value that cannot be calculated within a practical period of time.
For the keyed scramble algorithm adopted in the scramble unit 200 in FIG. 1, the key length (bit length) of the scramble key data cannot be longer than the word length of the processor 100.
For example, the word length of the processor for a number of embedded devices is currently below 32 bits. Here, the brute force key attack to the scramble unit 200 in the case in which the word length is assumed as 32 bits is considered. Supposing that the execution of scrambling can be performed 1000 times per second, the scramble key data could be found in 50 days.
In addition, as an attacking method to a keyed scramble algorithm, chosen plaintext attacks have been known. In this attack, a case is assumed in which the attacker cannot see the scramble key data is not to be known by the attacker but can obtain scramble data while setting data and address data freely. In other words, this attack assumes a higher ability of the attacker than that for the brute force key attack.
In the scramble unit 200 in FIG. 1, the attacker first create a pair of write-in data and scrambled data for all address data. Then, the mask value for all the scrambled data can be found by XORing the scrambled data and write-in data. Then, it becomes possible for the attacker to descramble the scrambled data of a given address into data using the obtained mask value, without finding the scramble key data.